Taking one part stateful inspection firewall, one part intrusion prevention, and equal parts anti-virus, anti-spam, anti-spyware, and content filtering, UTM (Unified Threat Management) appliances blend traditionally separate security services into a single device, providing not only comprehensive protection against Internet-based threats but also streamlined access to policies and reporting.

Now, instead of jumping between separate security tools and management UIs, admins need only go to one place to manage and monitor these systems. Updates are scheduled and initiated from a single console, reports are viewed from one appliance, and policy is managed from one device.

By moving all of these security services into a single device, UTM appliances are supposed to reduce the admin’s workload; ease-of-use is one of the main selling points. A well-crafted UI can make short work of checking for signature updates, recent activity, and alerts. All of the solutions I tested provided “at a glance” monitoring and management, although some did it better than others. For the datacenter folks, all of the appliances can report back to all common reporting systems, including Syslog and SNMP tools, and all have their own branded central management tool.

A possible argument against UTM appliances is that security guys can no longer pick specific solutions for each defense; they have to use the UTM vendor’s bundled products. If, for example, the enterprise has standardized on CA’s anti-virus and anti-spyware products but wants another vendor’s firewall/VPN, there is no way to integrate the two systems into a common management platform.

For most, this argument is moot. The security services bundled together are typically “best of breed” services in their own right. For example, Astaro uses a combination of Kaspersky and open source signatures for virus protection, whereas WatchGuard and ServGate employ McAfee AV. I don’t believe any security administrator is going to stop using desktop anti-virus or anti-spyware protection and rely solely on the network edge device. UTM’s goal is to stop the threats before they can enter the network, with desktop protection as the last line of defense.

Take your places, please

For this round up of UTM solutions, we requested the model most suited for branch-office deployment. For us, that meant the smallest rack-mountable device that supports all core UTM features and can be managed centrally from the corporate datacenter. We ended up with a range of products from Astaro, Fortinet, ServGate, SonicWall, and WatchGuard, all 1U appliances and more than up to the task. Symantec, Secure Computing, and TippingPoint were invited but were not able to participate due to various scheduling conflicts.

I ran each appliance through a series of test scenarios similar to what any protected office might experience. I placed each firewall in front of a Windows SBS (Small Business Server) 2003 server running Outlook Web Access, the standard SBS remote workplace portal, SMTP mail services (Exchange), and an FTP server. I created inbound policies designed to expose yet protect each service. I then tried to exploit these services using Core Impact from Core Security Technologies.

My penetration tests included a series of attacks using well-known and well-documented exploits for each service. I targeted the attacks against the exposed services, all of which attempted to either take the service offline (DoS) or run code on the server. Core Impact made these tests extremely easy to set up, but even more importantly, it allowed the same tests to be repeated for each UTM appliance. The results proved that each firewall was more than capable of preventing a direct attack, and not once was my targeted server interrupted. During each attack phase, I kept an eye on the firewall’s logs to monitor developments as the attack took place.

One other test was to stress the virus scanning capabilities of each UTM box. To do this, I copied a 160MB virus infected zip file from a “public” FTP server into my protected network from a Windows XP system using Internet Explorer as the FTP client. Only SonicWall and ServGate were capable of handling the file copy correctly without ignoring the virus in the file. I was amazed to find that not all UTM solutions can scan for viruses in all types of traffic in all situations. This is an area that many vendors need to work on.

Click for larger view.

AstaroSecurity Gateway 220

The Astaro Security Gateway 220 packs its UTM punch into a chassis loaded with eight 10/100Mbps Ethernet inter¬faces. The ASG 220 has a 40GB hard drive that is also used for Web caching and quarantining of spam and virus-infected objects. Setup and policy creation was not as straightforward as Fortinet’s or SonicWall’s but didn’t take more than an hour to complete. Astaro does, however, have one of the better built-in reporting engines.

Putting together the various inbound and outbound access rules takes a few extra clicks to complete, requiring the admin to create packet filter and dynamic NAT rules in order to allow valid inbound traffic. Other appliances, such as ServGate and SonicWall, take care of this extra step. Outbound policy can be defined different ways using the various proxies to mix and match users, hosts, and destinations along with content filters to provide just the right blend of threat management.

The ASG 220 comes with a full line of standard routing features and can be set up in transparent mode with all eight interfaces bridged — the only unit that can do that. I like having the capability to set up different subnets on the various physical interfaces and to create policies among them, including VLANs. The 220 also works with dynamic DNS and RIP (Routing Information Protocol) v1 and v2. QoS is available per policy but is limited to normal, low, or high settings.

Defining the various security policies for inbound traffic required a mix of packet filters, proxies, and NAT definitions. As opposed to SonicWall, which does the heavy lifting for you, Astaro requires admins to create each packet filter rule and match it with a manually created NAT rule in order for traffic to flow in to exposed Web services. This requirement doesn’t limit the functionality of the policy; it just adds a little additional administrative overhead.

Astaro’s core UTM features are built as part of the application proxies. For example, virus scanning will check inbound and outbound traffic through the SMTP proxy and can quarantine suspicious messages for later analysis. The HTTP proxy provides content filtering on client-requested traffic and uses Cobion URL filtering lists to mitigate casual surfing. Unfortunately, anti-virus scanning isn’t available for FTP traffic unless admins enable the HTTP proxy in standard mode and use a browser to copy files over FTP. A true FTP proxy will be available in the next release and will include anti-virus scanning.

IPS is well represented with a list of more than 4,000 detection signatures. IPS rules are grouped by attack type, which allows for quick and easy management. During my penetration tests with Core Impact, I was never able to exploit any of the services exposed through the ASG 220. Every attack was turned away and logged for later inspection.

Any self-respecting UTM appliance will have a full complement of VPN services, and the ASG 220 is no exception. It has a wide range of cipher strengths and hash algorithms allowing for very flexible deployment. Also included is Microsoft PPTP (Point-to-Point Tunneling Protocol) for client-to-site road warriors. Similar to policy definition, IPSec policy required a little more effort to complete.

The well-rounded reporting engine in the ASG 220 provides a wide variety of graphical charts as well as raw log files. There are two additional packages, the Report Manager and the Configuration Manager, that allow for centralized reporting aggregation and policy management.

FortinetFortiGate 400A

The FortiGate 400A ships with six 10/100Mbps Ethernet interfaces and combines slick policy management with routing capabilities usually found only in bigger hardware. UTM services are complete, as are VPN and dynamic routing services. Remote management is performed through the FortiManager console, and local logging, although included, could be improved. Initial setup and configuration took less than 30 minutes to complete, and FortiGate’s IPS proved to be up to the task of stopping all the Core Impact attacks I threw at it.

The most expensive UTM box in our roundup, the FortiGate boasts a very flexible and powerful routing engine. Each of its six interfaces can be a member of a different IP network with distinct routing policies and RIP v1 and v2 settings. In fact, unique among the appliances tested, the FortiGate allows each physical interface to have its own DHCP server. One of the most interesting features is that the appliance can be divided into two virtual domains. This feature essentially splits the firewall into two logical devices. Physical interfaces and policies are each assigned as members of a specific domain.

Firewall access policies in the 400A allow for many different situations without being overly complex to define. I found it easy to create address assignments for specific services and to create security policies based on each type of traffic. Access policies are not automatically ordered, as they are by the SonicWall Pro 2040, but it is easy to reorder them from the UI.

The 400A works with site-to-site IPSec VPNs and also PPTP and L2TP (Layer 2 Tunneling Protocol) client-to-site connections. Encryption strength ranges from DES to AES256 (Advanced Encryption Standard 256-bit) for maximum security. Fortinet’s QoS support is among the best, with the capability to prioritize traffic and manipulate the Diffserv values.

All of the expected security services are in the 400A, and as opposed to Astaro and WatchGuard, Fortinet allows anti-virus scanning to be assigned to traffic other than SNMP. Services are enabled and assigned specific actions in a Protection Profile. Profiles can be a specific mix of services tailored to a type of traffic. For example, I created a profile only with anti-virus and IPS enabled and used it as a protection policy for FTP traffic. Admins can create many different profiles, each for a specific need.

The anti-virus service, although better than most, has its limitations. There is an upper limit on the maximum file size that can be scanned as it passes through the FortiGate. If the file exceeds 50MB — the upper limit for the model I tested — admins have the choice of denying the transfer completely or ignoring the oversized file and passing it without scanning it. This size limitation applies to all forms of traffic.

Fortinet maintains its own signature lists for anti-virus, IPS, Web, and spam filters, and updates can be scheduled hourly to make sure the latest definitions are online. In addition to signatures, the IPS uses anomaly detection to protect exposed systems. Admins can create custom signatures or simply use the included list. As with all of the solutions tested here, Core Impact couldn’t find a crack in Fortinet’s IPS.

Reporting and logging services are average. Five different logs are included, but for the best results, admins will want to ship the information off to either a Syslog or WebTrends server. For centralized management, Fortinet’s FortiManager is the platform to use. It allows for direct remote management as well as report and log aggregation.

ServGateEdgeForce M30

ServGate’s EdgeForce M30 appliance comes with three 10/100Mbps interfaces and a 20GB hard drive used for Web caching and many of its core security services. Setup and configuration of the M30 was straightforward; I had the unit online with a default outbound policy in less than 30 minutes. The M30 came in as the lowest-cost appliance in our group, and policy creation and maintenance were not overly difficult.

The M30 is based on purpose-built hardware. At its heart is a stateful inspection firewall that provides good all-around protection. As do Fortinet and WatchGuard, ServGate provides dynamic routing, such as RIP v1 and v2, and static routing, as well as dynamic DNS. QoS is included, but it isn’t nearly as complete as the support found in Fortinet. VLAN support will be available in the next release of the ServGate OS.

VPN services are also well supported with various flavors of site-to-site IPSec and PPTP, and ServGate’s VPN client handling client-to-site chores. Admins can choose between cipher strengths up to 3DES and AES256.

Creating inbound policy for my protected resources required first defining a virtual IP alias for each service and then plugging them in to the appropriate IP mapping policy. Part of the policy creation includes what content filter to apply to the inbound traffic. ServGate’s content filters are based on IPS rules and the additional security services such as anti-virus.

For example, I was able to create a “test” content filter for my exposed Web server using a predefined Web server IPS policy and then by choosing to add anti-virus filtering. Admins can use the canned IPS and content filter rules or create new ones to meet specific needs. My only complaint is that I had to hop among three different areas of the admin console in order to manipulate and assign a content filter.

The security services available in the M30 are very good, using a mix of best-of-breed and in-house developed services. For anti-virus and anti-spam, ServGate uses McAfee’s scanning engines. For Web filtering, SurfControl is included. All licensing for these third-party tools is handled by ServGate and included in the total price. Because the M30 has a local hard drive, files and messages can be quarantined instead of simply discarded.

ServGate’s IPS, which is based on the open source Snort signatures, allows for a good deal of flexibility when creating content filters. The list of rules is nicely broken up into categories such as “exploit,” “P2P,” and “Web attacks,” which simplifies creating IPS rules for content filters. In all of my penetration tests, ServGate’s IPS rules and policies held firm and prevented any unauthorized access.

Remote monitoring and reporting is very well done using Global Manager. It provides a nice platform for maintaining all aspects of the M30 from a centralized datacenter. A single Global Manager system can handle as many as 200 EdgeForce devices. Look for greater scalability in the next release.

SonicWallPro 2040

The SonicWall Pro 2040 comes with four 10/100Mbps interfaces for network connectivity and a host of solid firewalling services. Installation and initial configuration was the easiest out of our group, thanks to some handy setup wizards. Setup required only a few minutes to get the appliance online and passing traffic. Policy management is relatively straightforward, again assisted by helpful wizards. VLAN support, although missing from this release, will be available soon.

The Pro 2040 doesn’t leave anything out in terms of firewall features. Its stateful inspection engine comes with a vast array of predefined services and allows for the addition of custom services. For quicker rule creation, individual services can be grouped into a single object. As opposed to Astaro and WatchGuard, SonicWall does not rely on any application proxies. This means the Pro 2040 can apply anti-virus filters and all other protections to any type of traffic.

Firewall policy management is made easier through the use of a new “matrix” view of the access rules. I was able to filter my view quickly to zero in on a specific set of physical interfaces and the rules associated with them. For anyone who has to maintain a large rule set, this feature will ease your administrative burden significantly. Support for dynamic DNS is included, as is QoS, but VLAN support won’t be available until the next OS release. Dynamic routing is also missing from this release; RIP and OSPF will be available in the next version.

VPN capabilities are adequate in the Pro 2040, providing IPSec site-to-site and client-to-site PPTP and support for SonicWall’s own VPN client. Cipher choices aren’t as wide as that in the Astaro 220, but with 3DES and AES256, encryption strength should not be a problem. As with policy creation, a VPN policy wizard walks admins through the initial tunnel definition.

SonicWall’s security services are a combination of third-party and internally developed products. Network anti-virus (client-side) is handled through an agreement with McAfee, whereas gateway AV (real-time TCP stream scanning) is handled by SonicWall’s own scanning engine. Anti-spyware scanning uses signatures developed in-house and through a “secret” third-party alliance, and content filtering is done with SonicWall’s system or in conjunction with an N2H2 or Websense server.

SonicWall’s security services are applied globally; they don’t allow for per traffic flow assignment. For instance, for outbound traffic, I could enable all security services, but I couldn’t define a specific combination of services for a specific type of outbound traffic. The ASG 220 and WatchGuard Firebox do allow this fine-grained approach to security enforcement.

In terms of overall effectiveness, however, the Pro 2040 was one of only two appliances to successfully handle a virus-infected 160MB file copied via FTP. Besides the SonicWall and ServGate boxes, the other UTM appliances either failed to complete the transfer or failed to scan for the virus.

IPS services are provided through a combination of in-house and Snort signatures. Deployment is very flexible with global and individual network zone assignments. As with the IPS found in the EdgeForce M30, signatures are grouped in categories and admins can enable/disable individual signatures. As with all of the UTM products, I couldn’t sneak any penetration attack past the Pro 2040.

Logging and reporting are included in the appliance, but to get the most detailed information on users and traffic patterns, admins will want to use SonicWall’s ViewPoint package, available at additional cost. Remote monitoring and administration is done through the SonicWall Global Management System. Be advised that SonicWall GMS requires an Oracle or Microsoft SQL Server database (neither is included).

WatchGuardFirebox X2500 Core

The Firebox X2500 Core has eight 10/100Mbps interfaces stuffed into a glossy red 1U chassis that looks more Ferrari than firewall. Along with the show there’s plenty of go. The Firebox wraps a stateful firewall around application proxies to build a solid security appliance that can keep the bad guys out while allowing granular outbound policies. The reporting and monitoring tools are some of the best anywhere. Initial configuration of the Firebox took a bit longer than most, but I still had the unit online in less than an hour.

As does the SonicWall Pro 2040, WatchGuard’s Firebox comes from a strong firewall background, and it shows in the X2500. Through a combination of packet filters and application proxies, admins can craft a security policy specific to the network’s needs. When defining policies, though, it is important to understand the traffic that will be passing through the Firebox and which security services need to be applied to it.

If the traffic is defined using a packet filter, there is no provision for scanning the traffic for viruses or other questionable activity. The only way to analyze the traffic is to push it through an application proxy. The Firebox does come with proxies for HTTP, FTP, DNS, SMTP, and generic TCP traffic, so the most common traffic will be covered, and there is no limit to how many different proxy definitions you can use. I created a variety of different HTTP policies using proxies, each one with specific security settings and rules.

UTM services are available in the Firebox, but all services aren’t available to all proxies. In some cases, the omission makes perfect sense; there is no need for Web content inspection on SMTP traffic. But for others, it could be a problem. For example, FTP traffic can be checked for validity and protected by IPS, but there is no facility for scanning FTP’d files for viruses. AV scanning is also missing from the HTTP proxy, although it does check for malware. The SMTP proxy is the only one that will scan for viruses.

Intrusion prevention is set up on a global basis and is handled by the TCP proxy. IPS worked well in my tests, preventing Core Impact from exploiting any of the exposed servers. WatchGuard’s IPS can block traffic from any address that it identifies as the source of an attack, which is an interesting feature. During my penetration tests, I had to keep changing the IP address of my attack PC because the Firebox would deny its communications.

Dynamic routing is the best out of the group, featuring RIP v1 and v2 and also OSPF and BGP (Border Gateway Protocol). VPN services are also strong with IPSec site-to-site and client-to-site chores handled by PPTP, L2TP, and WatchGuard’s own mobile VPN client. QoS is available, although not as full-featured as Fortinet’s. Dynamic DNS is not supported.

WatchGuard shines in reporting and monitoring, with a mix of tools that provide an excellent view into the appliance’s health. Admins will spend much of their initial time in the Fireware Policy Manager defining policies and services. For day-to-day monitoring, the Firebox System Manager is the tool to use. WatchGuard’s ultimate geek toy is HostWatch, a real-time graphical traffic viewer.

Not all roses

Each of the five appliances does a very good job of keeping the bad stuff out while providing a fine level of control over user’s activity. Improvement is needed, however, in how anti-virus protection is handled. Viruses can enter on just about any protocol now, so not being able to scan all types of traffic isn’t going to cut it.

Sometimes it is a difficult task to rank a group of products, especially when only little things separate one from another. In the end, the results came down to just how complete the UTM services were in each appliance. The ServGate EdgeForce M30 and the SonicWall Pro 2040 completed all of my testing with flying colors, earning them the top scores in our roundup. Both of these appliances demonstrated excellent protection against attack and also applied all core UTM services across the various traffic types.

For situations where additional physical interfaces are required and FTP traffic isn’t a priority, the Fortinet 400A would be a good pick. Its rich features do come with a rich price tag, however. WatchGuard’s Firebox Core comes with a full range of services, as does the Astaro Secure Gateway, and if FTP traffic isn’t part of the network’s day-to-day traffic, these too should be considered viable solutions.